Peter A Clarke

On 16 January the European Data Protection Board (EDPB) adopted Guidelines 01/2025 on Pseudonymisation which is effective on 17 January 2025. Pseudonymisation is poorly understood by organisations and some practitioners. It is also an important means of data protection.

t should be noted that OVIC has undertaken a very detailed assessment into de identification and higlighted the problems with it.

The guidelines sets out in details guidance on on the use and benefits of pseudonymisation under the General Data Protection Regulation (GDPR). Importantly it clarifies

• what pseudonymization means,
• how to use it to meet data protection requirements, and
• how to implement it.

Australia operates under the Privacy Act and is not bound by the GDPR.  That said many organisations in Australia operate in Europe nad to that extent are bound by hte operation of the GDPR.  Further, the guidelines from the EU like the NIST publications provide valuable assistance in dealing with privacy issues. 

What is Pseudonymization?

Art. 4(5) of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.”

Pseudonymisation can be implemented through various techniques, such as the use of tables that map pseudonyms to original identifiers while keeping pseudonyms and original identifiers separate and secure (e.g., in the hands of two separate organizations). 

Pseudonymisation should at least concern direct identifiers (e.g. passport or social security numbers, but also the combination of the full name of a person with his or her date of birth) which, alone, allow to identify data subjects. The pseudonymising entity should also be mindful of indirect identifiers (e.g. by deleting such indirect identifiers, generalising or randomising them), which may also allow to identify a data subject despite the pseudonymisation.

It is important to implement what is called technical and organisational measures, to protect the separation of the additional information, but also to protect the pseudonymised data (so that they do not inappropriately leave the pseudonymisation domain.  Those measures include:

• network segmentation (i.e. dividing a network into sub-networks that are hermetic, at least to a certain extent);
• storing secret keys in hardware security modules;
• securing authentication for Application Programming Interface (API) access;
• rate limiting and logging the execution of the pseudonymising transformation and its reverse application;
• employing or designating specifically authorised personnel to perform and manage the pseudonymisation process; 
• proper employee training
  

When to use Pseudonymisation ?

Pseudonymisation is not mandatory.  It is a useful to deal with risks associated with data processing and breaches. It can help organisations:

• rely on lawful bases for processing personal data, such as “legitimate interests” (;
• with data minimisation, data protection by design and by default;
• reduce the risks of unauthorized access or function creep, where data may be used for purposes other than those for which it was collected; and
• enhance the confidentiality and security of data processing.

Is Pseudonymized Data Still Personal Data?

The guidelines make it clear that pseudonymized data remains personal data subject to the GDPR. It is not anonymised, which requires data to be irreversibly unidentifiable. 

Is Pseudonymized Data Still Personal Data When Transferred to a Third Party?

Pseudonymising data before transferring it to third parties can ensure data security and for complying with the data minimisation principle.

The Advocate General of the Court of Justice of the European Union (CJEU) released an opinion on February 6, 2025. where he  found that where pseudonymisation is sufficiently robust to conclude that data is not reasonably identifiable to the organization, it is not processing personal data. Eah case is analysed through  “all objective factors such as the costs of and amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”

 

I